Security Tracking Issue

Do not make this issue public.

Impact: Moderate
Reported Date: 06-Oct-2022
Resolve Bug By: 04-Apr-2023

In case the dates above are already past, please evaluate this bug in your next prioritization review and make a decision then. Remember to explicitly set CLOSED:WONTFIX if you decide not to fix this bug.

Please review this tracker and its impact on your product or service, as soon as possible. The trackers are filed WITHOUT in-depth analysis as the vulnerability has a Low or Moderate severity impact on this product or service. For more details, please refer to following confluence page - https://docs.engineering.redhat.com/x/3e_3EQ

Please see the Security Errata Policy for further details: https://docs.engineering.redhat.com/x/9kKpDw

NOTE THIS ISSUE IS CURRENTLY EMBARGOED, DO NOT MAKE PUBLIC COMMITS OR COMMENTS ABOUT THIS ISSUE.

WARNING: NOTICE THAT CHANGING THE SECURITY LEVEL FROM "SECURITY ISSUE" TO "RED HAT INTERNAL" MAY BREAK THE EMBARGO.

Flaws:
------

EMBARGOED CVE-2022-21618 OpenJDK: improper MultiByte conversion can lead to buffer overflow (JGSS, 8286077)
https://bugzilla.redhat.com/show_bug.cgi?id=2133817

A flaw was found in the JGSS component of OpenJDK. Improper MultiByte conversions (byte vs. character) could lead to a buffer overflow vulnerability.
~~~

EMBARGOED CVE-2022-21619 OpenJDK: improper handling of long NTLM client hostnames (Networking, 8286526)
https://bugzilla.redhat.com/show_bug.cgi?id=2133745

It was discovered that the NTLM implementation in the Networking component of OpenJDK did not properly handle long client hostnames. This could potentially lead to an integer truncation issue and data corruption on the server side.
~~~

EMBARGOED JDK: Oracle CPU 2022-10
https://bugzilla.redhat.com/show_bug.cgi?id=2133695

The next Oracle CPU is scheduled for 18 October 2022:
https://www.oracle.com/security-alerts/
~~~

EMBARGOED CVE-2022-21626 OpenJDK: excessive memory allocation in X.509 certificate parsing (Libraries, 8286533)
https://bugzilla.redhat.com/show_bug.cgi?id=2133753

A flaw was discovered in the way the Libraries component of OpenJDK processed X.509 certificates, possibly allowing a specially crafted X.509 certificate to trigger excessive heap memory usage in a Java application processing such certificate.
~~~

EMBARGOED CVE-2022-21624 OpenJDK: insufficient randomization of JNDI DNS port numbers (JNDI, 8286910)
https://bugzilla.redhat.com/show_bug.cgi?id=2133765

It was discovered that the JNDI component of OpenJDK did not properly randomize DNS port numbers, potentially making it easier for a remote attacker to perform spoofing attacks.
~~~

EMBARGOED CVE-2022-39399 OpenJDK: missing SNI caching in HTTP/2 (Networking, 8289366)
https://bugzilla.redhat.com/show_bug.cgi?id=2133776

A flaw was found in the Networking component of OpenJDK in the way the HTTP/2 protocol implementation cached server connections. This could potentially allow malicious servers connecting from the same IP address to perform a spoofing attack.
~~~

EMBARGOED CVE-2022-21628 OpenJDK: HttpServer no connection count limit (Lightweight HTTP Server, 8286918)
https://bugzilla.redhat.com/show_bug.cgi?id=2133769

It was discovered that the Lightweight HTTP Server component of OpenJDK did not limit the number of connections accepted from HTTP clients. This could result in resource exhaustion if multiple instances of a malicious applications were started at the same time, possibly preventing other applications on the system from being able to communicate over the network.